The Rise of Privacy and Personal Data

The first months of 2016 have brought about a series of changes regarding the protection of personal data. This change also affects Romania, an EU (European Union) member state.

For this reason, when the organizers of the IT Camp event (www.itcamp.ro) invited me, for the third year in a row, to Cluj-Napoca, I stopped and pondered on whether I should tackle these issues or not. However, because the IT&C field is many times shrouded by the "dark clouds" of personal data - I mustered all my courage and wrote "The rise of privacy & personal data in the IT business".

It is a great challenge to speak to the IT Camp participants of matters which have to do with the recent law changes. You may ask yourselves why this is so.

First of all, IT specialists are less prone to focus on personal data (Why would they need to focus on this? Not until recently, most developers were just writing code. There were rare, superficial discussions on how they should implement concepts such as "privacy by design", transparency or "customer trust", etc. in the applications they create).

Second of all, the legal aspects mentioned above are many and complex. I estimate that, in the next five years, the topic will become notorious both in the EU and in Romania. Briefly, the legal changes take the following into account:

The reform of the entire EU legal domain in matters such as the management of personal data, after negotiations which lasted 4 years;

The EU Court of Justice invalidated (at the end of 2015) the Safe Harbor Principles, a law which underpinned the way in which personal data was transferred from the EU to the USA;

It was suggested that the Safe Harbor Principles should be replaced by the EU-U.S. Privacy Shield. This was followed by ample and controversial discussions regarding the text of this proposition (as some foreign experts considered the proposed text too complex). EU-U.S. Privacy Shield would impose stricter and more detailed requirements on the USA part, in the case of the transfer of the data that originates from EU users. If you want to become more familiar with the subject, you may consult this PDF1 and several relevant papers aici2, aici3 and aici4;

In the official EU Bulletin issued on the 4th May 2016, new rules regarding the protection of personal data were published. This was meant to be a pan-European law in our field of interest (the New Regulations). You can find the full text aici5. The New Regulations will become effective at the end of May 2016, but they will become applicable only starting with the 25th of May 2018 (the regulations will be applied simultaneously in the 28 EU member states, without any need for a mediating national law);

Companies will have stricter obligations in the way they handle the personal data of individuals, especially in the case of those technologies involved in profiling activities (for example, technologies that have to do with the Internet of Things (IoT));

Harsher sanctions will be applied if companies, in charge of handling personal data, will not obey the new regulations. The consequence is that companies may pay up to 4% of their global turnover;

Some of the current requirements will be eliminated and new ones will be added. For instance, in some conditions, the companies should no longer notify EU authorities that they are handling personal data. However, the companies should keep a written record of all the activities regarding the handling of personal data;

New requirements will be introduced - for example, companies must implement means of encrypting and making data pseudo-anonymous (data encryption); companies must implement "Privacy by Design"; companies which collect personal data from individuals must delegate, under certain circumstances, a person who can deal with data-related aspects, etc.;

The newly introduced "one-stop-shop" principle should allow companies which are active on various EU markets to deal with only one competent authority, not several (as it is the case now);

The companies from outside the EU must also obey the New Regulations, as far as they deal with EU customers which are subjected to IT profiling, in the delivery of products and services;

You may, of course, claim that there is still time, given that the New Regulations will become applicable in two years' time. However, remember that the changes are significant. Therefore, it is recommended that you use this transition period to become acquainted with the practices that you will later need to implement in the management of personal data, so that it obeys the new requirements. In the future, there will be greater exposure to inspections and complaints from individuals whose personal data has not been properly processed.

In conclusion, data protection is no longer a slogan for those keen on human rights. The topic has become an issue with serious economic consequences. The topic is not a joke anymore. The sanctions and fines will be prohibitive. We live exciting times, from a legal point of view.